1. Field of the Invention
This invention relates to a security information implementation system and an LSI for providing the system.
2. Description of the Related Art
Key information required for decrypting encrypted information is embedded in a storage device storing content to be copyrighted such as a DVD or an SD card, a system LSI of a terminal for playing back or demodulating the storage device, and the like.
The key information is a strictly security item for not only the user, but also the manufacturer of the terminal for copyright protection and preventing unauthorized use of the terminal. That is, the key information is strictly managed at the development stage of a system LSI in which the key information is embedded, the fuse implementation stage, one of the manufacturing steps of the system LSI, and the set implementation stage of combining the system LSI with memory, etc., to manufacture the terminal.
The applicant previously disclosed a key implementation system wherein security information concerning a key-implemented system and an LSI used therewith is distributed, whereby the security and concealment of the key can be improved and various security keys can also be easily implemented and further it is made possible to test the implemented value without increasing the circuit scale. (For example, refer to JP-A-2003-101527, FIG. 18.)
FIG. 18 is a block diagram to show the schematic configuration to describe a key implementation system 7 disclosed in the patent document. In the description to follow, it is assumed that symmetric cryptography is adopted for encryption and decryption processing. The “symmetric cryptograph” has the following characteristic: Assuming that the encryption result of A as input using a key B by an encryption circuit 50 is C, the decryption result of the input C using the key B by a decryption circuit 51 becomes A, as shown in FIG. 19. The encrypted key provided by encrypting X using a key Y is represented as EX (Y).
An LSI 70 includes a first selector 64 for inputting second and third inputs IN2 and IN3 and selectively outputting either of them in response to a test signal TEST. A first decryption circuit X 33 inputs the output of the first selector 64. The LSI 70 is provided with a seed generation section 71 including a first constant storage section 72, a second selector 73, a second constant storage section 74, and a second one-way function circuit B 75.
The first constant storage section 72 stores a first constant IDfuse on which a conversion seed IDfuse1 is based and a second constant IDtst on which a test conversion seed IDtst1 is based. The first constant storage section 72 is configured so that any desired values can be implemented by fuse blowing by laser trimming, etc., as the first constant IDfuse and the second constant IDtst.
The second selector 73 selectively outputs either of the first and second constants IDfuse and IDtst in response to a test signal TEST. The second constant storage section 74 stores a third constant Const. The second one-way function circuit B 75 converts the third constant Const as a conversion seed by a one-way function using the output of the second selector 73.
The LSI 70 includes a first one-way function circuit A 32 for converting the output of the second one-way function circuit B 75 as a conversion seed by a one-way function using the first input IN1 to generate a conversion key CK or a test conversion key CKtst, a first decryption circuit X 33 for decrypting the output of the first selector 64 using the output of the first one-way function circuit A 32 as a key, and a second decryption circuit Y 34 for decrypting the first input IN1 using the output of the first decryption circuit X 33 as a key.
The LSI 70 is provided with a verification circuit 65 for verifying the output of the second selector 73. The verification circuit 65 includes a constant storage section 66 wherein a constant CRCfuse corresponding to the result of redundancy operation on the constant IDfuse is fuse-implemented and a comparison circuit 67 for performing the above-mentioned redundancy operation on the output of the second selector 73 and making a comparison between the operation result and the constant CRCfuse stored in the constant storage section 66.
First, the operation at the inspection time of the LSI 70 will be discussed. In this case, the test signal TEST is set to “1.” At this time, the first selector 64 receives “1” as the test signal TEST and selects and outputs the input IN3, namely, a third encrypted key EMKtst (CKtst). The second selector 73 receives “1” as the test signal TEST and selects and outputs the second constant IDtst stored in the first constant storage section 72.
The second one-way function circuit B 75 converts the third constant Const stored in the second constant storage section 74 by a one-way function using the output of the second selector 73, namely, the second constant IDtst. That is, the seed generation section 71 outputs the test conversion seed IDtst1 as a conversion seed.
The first one-way function circuit A 32 converts the test conversion seed IDtst1 output from the seed generation section 71 by a one-way function corresponding to the function used to generate the test conversion key CKtst using first input IN1, namely, a first encrypted key EDK (MK). Accordingly, the one-way function circuit A 32 generates and outputs the test conversion key CKtst.
The first decryption circuit X 33 decrypts the output of the first selector 64, namely, the third encrypted key EMKtst (CKtst) using the output of the first one-way function circuit A 32, namely, the test conversion key CKtst as a key. Accordingly, the first decryption circuit X 33 generates and outputs a test internal key MKtst. The second decryption circuit Y 34 decrypts the first input IN1, namely, the first encrypted key EDK (MK) using the output of the first decryption circuit X 33, namely, the test internal key MKtst as a key. Accordingly, the second decryption circuit Y 34 generates a test final key DKtst.
Next, the operation at the usual time of the LSI 70 will be discussed. In this case, the test signal TEST is set to “0.” At this time, the first selector 64 receives “0” as the test signal TEST and selects and outputs the input IN2, namely, a second encrypted key EMK (CK). The second selector 73 receives “0” as the test signal TEST and selects and outputs the first constant IDfuse stored in the first constant storage section 72.
The second one-way function circuit B 75 converts the third constant Const stored in the second constant storage section 74 by a one-way function using the output of the second selector 73, namely, the first constant IDfuse. Accordingly is, the seed generation section 71 outputs the conversion seed IDfuse1.
The first one-way function circuit A 32 converts the conversion seed IDfuse1 output from the seed generation section 71 by a one-way function corresponding to the function used to generate the conversion key CK using the first encrypted key EDK (MK). Accordingly, the one-way function circuit A 32 generates and outputs the conversion key CK.
The first decryption circuit X 33 decrypts the output of the first selector 64, namely, the second encrypted key EMK (CK) using the output of the first one-way function circuit A 32, namely, the conversion key CK as a key. Accordingly, the first decryption circuit X 33 generates and outputs an internal key MK. The second decryption circuit Y 34 decrypts the first input IN1, namely, the first encrypted key EDK (MK) using the output of the first decryption circuit X 33, namely, the internal key MK as a key. Accordingly, the second decryption circuit Y 34 generates a final key DK.
At this time, the output of the second selector 73 is also input to the comparison circuit 67 in the verification circuit 65. The comparison circuit 67 checks whether or not the result of the redundancy operation on the output of the second selector 73 and the CRCfuse fuse-implemented in the constant storage section 66 are the same. Accordingly, the second IDfuse stored in the seed generation section 71 can be checked for validity.
In the key implementation system in the related art described above, from a terminal, a system LSI, or a storage section drained out by fraudulent means, the manufacturer, etc., manufacturing the terminal, the system LSI, or the storage section cannot be identified. If specific security information is leaked, terminals or system LSIs that can perform usual operation can be manufactured in large quantity by copying the specific security information, and the copyright cannot sufficiently be protected.
In the key implementation system in the related art described above, protecting security information based on IDfuse varying from one machine to another or using one desired fixed value cannot be selected in response to the security information. Thus, flexible implementation cannot be accomplished.